-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-01:62                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          UUCP allows local root exploit

Category:       core
Module:         uucp
Announced:      2001-10-08
Credits:        zen-parse@gmx.net
Affects:        All released versions of FreeBSD 4.x prior to 4.4.
                FreeBSD 4.3-STABLE prior to the correction date.
Corrected:      2001-09-10 20:22:57 UTC (FreeBSD 4.3-STABLE)
                2001-09-10 22:30:28 UTC (RELENG_4_3)
FreeBSD only:   NO

I.   Background

Taylor UUCP is an implementation of the Unix-to-Unix Copy Protocol, a
protocol sometimes used for mail delivery on systems where permanent
IP connectivity to the internet is not available.

II.  Problem Description

The UUCP suite of utilities allow a user-specified configuration file
to be given on the command-line.  This configuration file is
incorrectly processed by the setuid uucp and/or setgid dialer UUCP
utilities while running as the uucp user and/or dialer group, and
allows unprivileged local users to execute arbitrary commands as the
uucp user and/or dialer group.

Since the uucp user owns most of the UUCP binaries (this is required
for UUCP to be able to write to its spool directory during normal
operation, by virtue of being setuid) the attacker can replace these
binaries with trojaned versions which execute arbitrary commands as
the user which runs them.  The uustat binary is run as root by default
during the daily maintenance scripts.

All versions of FreeBSD 4.x prior to the correction date including
4.3-RELEASE are vulnerable to this problem, but it was corrected prior
to the release of FreeBSD 4.4-RELEASE.

III. Impact

Unprivileged local users can overwrite the uustat binary, which is
executed as root by the daily system maintenance scripts.  This allows
them to execute arbitrary commands as root the next time the daily
maintenance scripts are run.

IV.  Workaround

One or more of the following:

1) Set the noschg flag on all binaries owned by the uucp user:

# chflags schg /usr/bin/cu /usr/bin/uucp /usr/bin/uuname \
/usr/bin/uustat /usr/bin/uux /usr/bin/tip /usr/libexec/uucp/uucico \
/usr/libexec/uucp/uuxqt

2) Remove the above binaries from the system, if UUCP is not in use.

3) Disable the daily UUCP maintenance tasks by adding the following
lines to /etc/periodic.conf:

# 340.uucp
daily_uuclean_enable="NO"                              # Run uuclean.daily

# 410.status-uucp
daily_status_uucp_enable="NO"                          # Check uucp status

# 300.uucp
weekly_uucp_enable="NO"                                # Clean uucp weekly

V.   Solution

We recommend that UUCP be removed entirely from systems containing
untrusted users: to remove UUCP, refer to the directions in section IV
above.  Compiling the UUCP binaries when rebuilding the FreeBSD system
can be prevented by adding the following line to /etc/make.conf:

NOUUCP=true

1) Upgrade your vulnerable FreeBSD system to 4.4-RELEASE, 4.4-STABLE
or the RELENG_4_3 security branch dated after the respective
correction dates.

2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

[FreeBSD 4.3]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:62/uucp.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:62/uucp.patch.asc

Verify the detached PGP signature using your PGP utility.

# cd /usr/src
# patch -p < /path/to/patch
# make depend && make all install

3) FreeBSD 4.3-RELEASE systems:

An experimental upgrade package is available for users who wish to
provide testing and feedback on the binary upgrade process.  This
package may be installed on FreeBSD 4.3-RELEASE systems only, and is
intended for use on systems for which source patching is not practical
or convenient.

If you use the upgrade package, feedback (positive or negative) to
security-officer@FreeBSD.org is requested so we can improve the
process for future advisories.

During the installation procedure, backup copies are made of the files
which are replaced by the package.  These backup copies will be
reinstalled if the package is removed, reverting the system to a
pre-patched state.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:62/security-patch-uucp-01.62.tgz
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:62/security-patch-uucp-01.62.tgz.asc

Verify the detached PGP signature using your PGP utility.

# pkg_add security-patch-uucp-01.62.tgz

VI.   Correction details

The following is the $FreeBSD$ revision number of the file that was
corrected for the supported branches of FreeBSD.  The $FreeBSD$
revision number of the installed source can be examined using the
ident(1) command.  The patch provided above does not cause these
revision numbers to be updated.

[FreeBSD 4.3-STABLE]
  Revision       Path

[RELENG_4_3]
  Revision     Path
  1.8.4.1      src/gnu/libexec/uucp/cu/Makefile
  1.6.4.1      src/gnu/libexec/uucp/uucp/Makefile
  1.5.4.1      src/gnu/libexec/uucp/uuname/Makefile
  1.5.4.1      src/gnu/libexec/uucp/uustat/Makefile
  1.6.4.1      src/gnu/libexec/uucp/uux/Makefile
  1.10.8.1     src/usr.bin/tip/tip/Makefile
  1.3.2.2.2.1  src/etc/periodic/daily/410.status-uucp

VII.  References

<URL: http://www.securityfocus.com/bid/3312>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO8IU0FUuHi5z0oilAQFE4gP/dqLwzjAk3M5fhtfsENFy0OAlzQA70SG3
IJibpH19KdjcQX53CrLI/wI34JXqCVfiGpw2kLSysL6yfbBI+3Z2YUxPRaxrtoGF
9R4ZcCuuLuE14pCmAtWnLEdXFHVRThJzsLzk2xEZkhYU5hufW3+IqfIMcMNayQbf
BSI5/zAjPG4=
=TBLy
-----END PGP SIGNATURE-----
